(RADIATOR) Enless-Loop when wrong passwd and AuthBySQL

Denis Pavani d.pavani at cineca.it
Tue Apr 22 06:37:25 CDT 2003 

To say the truth, I had the same problem on a radius configuration with 
LDAP2 authentication.
It looked for default, then default1 and so on.
I used "NoDefault" to patch the problem.

Hope it helps
Regards

Mike McCauley wrote:

>Hello Peter,
>
>Hughs earlier response concerning NoDefault is a good workaround to your 
>problem, but...
>
>Normally Radiator detects when it runs out of DEFAULT usernames and does not 
>go into an endless loop like that.
>Your symptoms make me think that your DBD-Oracle is not behaving correctly 
>when it gets an empty result from your AuthSelect query..
>
>What versions of DBD-Oracle and the Oracle client library are you using?
>On what platform?
>
>Cheers.
>
>
>
>On Thu, 17 Apr 2003 10:27 pm, Peter Gruber wrote:
>  
>
>>Hi all,
>>
>>I use the AuthBySQL to authenticate via an Oracle-Database. When the passwd
>>is correct, everything works fine. When the password is incorrect, the
>>radiator goes into an endless-loop (see the trace 4 - output) and can just
>>be "-9" killed. During this loop, it is not possibly to authenticate even
>>with the correct password - the radiusd seems to be completely confused.
>>
>>I use the Radiator 3.5 (Demo) on a debian-box.
>>
>>Did anybody have the same problem or know what could be the reason for that
>>behaviour?
>>
>>
>>Best regards and THX ahead,
>>Peter
>>
>>
>>This is the output of the Trace 4:
>>*** Received from x.y.z.z port 1645 ....
>>Code:       Access-Request
>>Identifier: 54
>>Authentic:  <229><193><169>R<157><178>j.<20>F^<154>#Z<237><149>
>>Attributes:
>>        Framed-Protocol = PPP
>>        Username = "wedu at xxx"
>>        CHAP-Password = xxx
>>        NAS-Port = 1
>>        NAS-Port-Type = Virtual
>>        Service-Type = Framed-User
>>        NAS-IP-Address = x.y.z.z
>>
>>Thu Apr 17 13:43:04 2003: DEBUG: Handling request with Handler
>>'Realm=DEFAULT' Thu Apr 17 13:43:04 2003: DEBUG:  Deleting session for
>>wedu at xxx, x.y.z.z, 1 Thu Apr 17 13:43:04 2003: DEBUG: Handling with
>>Radius::AuthSQL
>>Thu Apr 17 13:43:04 2003: DEBUG: Handling with Radius::AuthSQL:
>>Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd, servicetype,
>>framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM  ads l_auth
>>WHERE username = 'wedu'
>>
>>Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
>>wedu at xxx Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
>>Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
>>servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
>>ads l_auth WHERE username = 'wedu'
>>
>>Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
>>DEFAULT Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
>>Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
>>servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
>>ads l_auth WHERE username = 'wedu'
>>
>>Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
>>DEFAULT1 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
>>Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
>>servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
>>ads l_auth WHERE username = 'wedu'
>>
>>Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
>>DEFAULT2 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
>>Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
>>servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
>>ads l_auth WHERE username = 'wedu'
>>
>>Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL looks for match with
>>DEFAULT3 Thu Apr 17 13:43:04 2003: DEBUG: Radius::AuthSQL REJECT: Bad
>>Password Thu Apr 17 13:43:04 2003: DEBUG: Query is: SELECT passwd,
>>servicetype, framedprotocol,ip_address,framedipnetmask,ciscoavpair FROM 
>>ads l_auth WHERE username = 'wedu'
>>
>>and so on...
>>
>>
>>
>>This is the (partial) radius.cfg:
>>Trace 4
>>
>>Foreground
>>AuthPort 1812
>>AcctPort 1813
>>DictionaryFile /usr/local/etc/dictionary
>>DefineFormattedGlobalVar ORACLEHOME /u01/app/oracle/product/9.2.0
>>LogDir /var/log/radius
>>LogFile /var/log/radius/radius.log
>>
>><Client DEFAULT>
>>        Secret  testsecret
>>        DupInterval 2
>></Client>
>>
>>
>><Realm DEFAULT>
>>    PasswordLogFileName /var/log/radius/password.log
>>    AcctLogFileName /var/log/radius/acct.log
>>
>>    <AuthBy SQL>
>>        DBSource        dbi:Oracle:xxx
>>        DBUsername      xxx
>>        DBAuth          xxx
>>
>>        AuthSelect SELECT passwd, \
>>                          servicetype, \
>>                          framedprotocol,\
>>                          ip_address,\
>>                          framedipnetmask,\
>>                          ciscoavpair \
>>                   FROM  xxxxx \
>>                   WHERE username = '%w'
>>
>>        AuthColumnDef 0,User-Password, check
>>        AuthColumnDef 1,Service-Type,reply
>>        AuthColumnDef 2,Framed-Protocol,reply
>>        AuthColumnDef 3,Framed-IP-Address,reply
>>        AuthColumnDef 4,Framed-IP-Netmask,reply
>>        AuthColumnDef 5,cisco-avpair,reply
>>
>>        IgnoreAccounting
>>    </AuthBy>
>>
>>
>>    <AuthBy GROUP>
>>       AuthByPolicy All
>>       IgnoreAuthentication
>>    <AuthBy SQL>
>>         DBSource        dbi:Oracle:xxx
>>         DBUsername      xxx
>>         DBAuth          xxx
>>         AccountingStartsOnly
>>         IgnoreAuthentication
>>         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
>>.
>>.
>>.
>>    </AuthBy>
>>
>>    <AuthBy SQL>
>>        DBSource        dbi:Oracle:xxx
>>        DBUsername      xxx
>>        DBAuth          xxx
>>        AccountingAlivesOnly
>>        AcctFailedLogFileName /var/log/radius/acctfail.log
>>        IgnoreAuthentication
>>        AcctSQLStatement insert into xxx
>>.
>>.
>>.
>>        AcctSQLStatement update /*+ USE_CONCAT */ xxx \
>>.
>>.
>>.
>>    </AuthBy>
>>
>>    <AuthBy SQL>
>>         DBSource        dbi:Oracle:xxx
>>         DBUsername      xxx
>>         DBAuth          xxx
>>         AccountingStopsOnly
>>         AcctFailedLogFileName /var/log/radius/acctfail.log
>>         IgnoreAuthentication
>>         AcctSQLStatement insert into xxx
>>.
>>.
>>.
>>         AcctSQLStatement update /*+ USE_CONCAT */ xxx \
>>.
>>.
>>.
>>    </AuthBy>
>>    </AuthBy>
>></Realm>
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>    
>>
>
>  
>

-- 
************************************************************************
Denis Pavani

CINECA    -    Comunicazioni e Sistemi Distribuiti
NOC - Network Operation Center

phone:+39 0516171953 / fax:+39 0516132198
http://www.cineca.it
************************************************************************
 "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo"
  -- Gunny Highway 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030422/60f6b50d/attachment.html>

More information about the radiator mailing list